While Apple’s privacy focus in recent years has generally been seen as a consumer benefit, one controversial element has been the exceptions that the company makes for some of its own first party apps (primarily the App Store and the News app). The company is now being challenged in court on this basis, with a California man arguing that continued user data collection via these apps when privacy settings are engaged violates the state’s Invasion of Privacy Act.
App Store lawsuit alleges iOS privacy settings mislead users
The lawsuit stems from a report published in Gizmodo in early November, which finds that a handful of first-party Apple apps continue to vacuum up personal information even when user data collection is ostensibly disabled via the iPhone Analytics settings. The study found that the App Store, Apple Music, Apple TV, Books, and Stocks do not appear to be impacted by this or any other global privacy settings on devices.
The report finds that this first party user data collection is quite extensive, potentially more so than users realize. The App Store collects every tap made in the app and funnels it to a behavior profile, even if targeted advertising is entirely disabled. This profile includes the text of app searches, what apps the user looked at (and the length of time), how they found their way to apps they showed interest in, and what ads were displayed to them while navigating the store.
Disturbingly, the app store also gathers a profile of device information that overlaps with the elements commonly used for fingerprinting: ID number, device model, screen resolution, keyboard language, and information about the current internet connection. Apple has banned developers from using device fingerprinting as an alternative to getting around its App Tracking Transparency requirements.
Not all of the Apple apps continue with user data collection once privacy settings are enabled; the report found Health and Wallet were not transmitting any information, and some (such as Stocks) transmit a limited and less detailed set of information that appeared to be focused on synchronizing different devices via iCloud. The App Store appeared to be the worst offender in terms of profiling.
The key to the court case is that disabling iPhone Analytics tells the user that Device Analytics has been “disabled altogether.” Apple’s implied meaning appears to be that it doesn’t count so long as it is the only recipient of the data it is collecting. That is far from clear to the end user, however. The researchers noted that tests of assorted popular web browsers, such as Chrome and Edge, show that first-party data collection of this type is disabled when similar privacy settings are engaged.
Apple user data collection: Rules for thee, not for me
The lawsuit is taking the interest tack of declaring a breach of the California Invasion of Privacy Act rather than the state’s CCPA data protection law. This is the state law that covers wiretapping, and it specifies that all parties involved in a confidential conversation must provide consent to recording. The plaintiff is seeking to have the case qualified as a class action.
Apple has already faced some trouble over its user data collection policies, but this is something of a new angle. It is one that has been brought up by app developers since the App Tracking Transparency framework was announced, but generally in the context of how the new opt-in model damages their business. Some EU governments have also examined the possibility that the situation is an abuse of monopoly power by Apple, as mobile apps have only two real feasible markets to go to.
There is some precedent for applying the California wiretapping law to internet communications, and even the use of tracking cookies. However, it is unclear if this will apply in these circumstances; the central question will be whether or not Apple collected valid consent to the standard of the law, and if it is appropriately safeguarding the data it collects (a standard that would appear to be met given that Apple says it does not share any first party app data with any third parties). While the notification when disabling iPhone Analytics does not appear to adequately inform that user data collection is still occurring via some of these apps, device users provide other consent agreements (for example, App Store use and use of the device itself) that may legally cover the situation.
The plaintiff is seeking $5,000 in damages (based on the value of the data that was collected), and if the class action status is approved this would presumably be the amount sought by other claimants.